The Cookie Monster

We have looked at the changing picture with regard to cookies’ compliance in previous updates. To recap, the rules have completely changed, so that consent is required, in almost all cases, where a cookie is to be set.

To recap, a cookie is, per the Information Commissioner, “a small file that a website puts on a user’s computer so that it can remember something, for example the user’s preferences, at a later time”. Consent is now required for a cookie to be set; the position previously was that users (who knew about cookies and understood how to do this) could opt out if they were not happy to accept cookies from a website operator. The position changed in May 2011, but the Government and the ICO indicated at the time of implementation of the new regulations that enforcement action would not routinely be taken for the first year so that website operators had an opportunity to look at the cookies which were being set, either by the businesses themselves or by third parties, review the reasons for their use and look at how consent might be obtained going forward.

Clearly the type of cookies used by website operators varies significantly, from those which enable a website to function or to perform the services which a user has asked to receive, such as the cookie which remembers what you have placed in your shopping cart, which are “essential” and for which no consent is required, to third party cookies set for the purposes of understanding a consumer’s online habits so that targeted advertising can be provided. What “consent” means in each situation where it is required (and what is and is not “essential” where consent may not be required) are questions not easily answered. A number of organisations, notably the Internet Advertising Bureau and the International Chamber of Commerce in the UK are carrying out very helpful work which aims to result in the promulgation of pragmatic, business-friendly guidance.

The key focus is an intention to ensure that any relationship between a website operator and a user is transparent, clear and informative. This will necessitate a fundamental change to the way in which cookies are used and, crucially, the information which users have about cookies when they visit a website. The legislative change is not welcomed by all; there are concerns that commercial activity will be impacted and that there are significant implication for business, both in terms of cost and time, in achieving compliance.

The twelve month grace period expires in May, 2012 and, conscious of this, the ICO has published a “half term report” and updated the advice which it published last year, in which it aims to answer many of the questions which have been asked since the regulations came into effect last May. Whilst it is clear that doing nothing is not an option, the Information Commissioner will be looking to work with organisations in their search for what amounts to appropriate consent in relation to the organisation’s own website rather than setting in train a wave of “knee-jerk formal enforcement action” after the end of the grace period.

For any organisations who have not yet started their own “Cookie Audit” or would like advice in relation to appliance, please contact Caroline Redhead or another member of the Commercial Team at Burnetts, who will be pleased to assist.